Impact
Metrics::Any::Adapter::DogStatsd versions prior to 0.04 for Perl fail to protect against metric injections, allowing an attacker to embed newline and control characters into metric streams or tags. This flaw enables the injection of arbitrary metrics or tag manipulation that can corrupt metric collection, lead to inaccurate monitoring data, or overload the monitoring system, effectively causing a denial of service on the metrics backend. The vulnerability is categorized as CWE-93, which involves improper neutralization of special elements used in data input, and also as CWE-150, indicating an access control weakness in the handling of metric data.
Affected Systems
The affected products are PEVANS::Metrics::Any::Adapter::DogStatsd 0.01 through 0.03 and any code that uses the underlying Metrics::Any::Adapter::Statsd component with the same vulnerability. Systems that incorporate these Perl modules for sending events to DogStatsd or similar statsd extensions are at risk if they have not upgraded to version 0.04 or later.
Risk and Exploitability
CVSS score of 9.1 indicates critical severity; the EPSS score of 0.00316 indicates a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is likely internal or application‑level; an attacker or malicious user who can send metrics to the vulnerable library can craft payloads containing newline and other control characters to trigger injection. The impact hinges on the availability of the metrics service and the ability to inject data, making the risk moderate to high for environments that rely on accurate monitoring for operational decisions.
OpenCVE Enrichment